Stop….It’s Patchin’ Time – Apache Struts Security Alert

Every good system administrator knows that you monitor errata publishings on your operating system and address vulnerabilities. Every good network administrator knows that you monitor usages of ports inbound and outbound from your firewall and only selectively enable services you intend to use, and securely at that. The case is true for developers and architects as well. To be the best at what we do, we have to make ourselves aware of vulnerabilities in the libraries and software packages we use.

 

Recently the Apache Struts project released version 2.3.15.1, to address a vulnerability in 2.3.15. This vulnerability is discussed in FBI Liaison Alert #M-000016-BT, which may permit remote command execution against a Struts application. Since Struts is a special kind of library used for web application development, it is almost always embedded in the parent application in the WEB-INF/lib folder of the application web archive file. If you are using Struts 2 in a customer facing web application with a version earlier that 2.3.15.1, I encourage you to patch it as soon as possible.

 

As stewards of Open Source software and partners of Open Source vendors, we at Shadow-Soft embrace the openness and clarity of not only the feature benefits of our Open Source solutions, system integrations and partners, but also the defects which are bound to occur in software. When you embrace Open Source, you find there is nothing hidden and by that you have everything to gain.

 

Remember to replace the copy of the Struts libraries in every eligible deployment, in addition to the one in an app server library folder. Happy patching!

Filled under: Uncategorized